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Abstract 

We initiate the study of markets for private data, using differential privacy. We model a data 
analyst who wishes to buy sensitive information to estimate a population statistic. The analyst 
wishes to obtain an accurate estimate cheaply, while the owners of the private data experience 
cost for their loss of privacy. 

Our main result is that this problem can naturally be viewed and optimally solved as a 
variant of a multi-unit procurement auction. We derive auctions which are optimal up to small 
constant factors for two natural settings: 

1. A data analyst with a fixed accuracy target, wishing to minimize his payments. 

2. A data analyst with a hard budget constraint, wishing to maximize his accuracy. 

In both cases, our comparison class is the set of envy-free pricings. 

We then define a more stringent privacy model, and show that no individually rational 
mechanism in this model can achieve non-trivial accuracy. We propose several directions for 
future research to remedy this situation. 
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1 Introduction 



Organizations such as the Census Bureau and hospitals have long maintained databases of personal 
information. However, with the advent of the Internet, many corporations are now able to aggregate 
enormous quantities of sensitive information, and use, buy, and sell it for financial gain. Up until 
recently, the purchase and sale of private information was the exclusive domain of aggregators - 
it was obtained for free from the actual owners of the data, for whom it was sensitive. However, 
recently, companies such as "mint.com" and "Bynamite" have started acting as brokers for private 
information at the consumer end, paying users for access to their sensitive information [LohlO[ 
IClilO] . Many others, such as Yahoo, Microsoft, Google, and Facebook are also implicitly engaging 
in the purchase of private information in exchange for non-monetary compensation. In short, 
"privacy" has become a commodity that has already begun to be bought and sold, in a variety of 
ad-hoc ways. 

Despite the commoditization of privacy in practice, markets for privacy lack a theoretical foun- 
dation. In this paper, we initiate the rigorous study of markets for private data. Our goal is not to 
provide a complete solution for the myriad problems involved in the sale of private data, but rather 
to introduce a crisp model with which to investigate some of the many questions unique to the sale 
of private data. The study of privacy as a commodity is of immediate relevance, and also a source 
of many interesting theoretical problems: we hope that this paper elicits more new questions than 
it answers. 

First, let us briefly consider some of the issues that make privacy distinct from other commodi- 
ties that we often deal with, and why this may complicate its sale: 

1. First and foremost, in order sell privacy, it is important to be able to define and quantify 
what we mean by privacy. In this regard, the commoditization of privacy has dovetailed nicely 
with the development of the theoretical underpinnings of privacy: recent work on differential 
privacy [DMNS06] (Definition 12. ip provides a compelling definition and a precise way in which 
to quantify its sale. Importantly, as we will discuss, the guarantee of differential privacy has 
a natural utility-theoretic interpretation that makes it a natural quantity to buy and sell. 

2. Private data is a good that exhibits intrinsic complementarities: a data analyst will typically 
not be interested in the private data of any particular individual, but rather in a representative 
sample from a large population. Nevertheless, he must purchase the data from particular 
individuals! Clearly, if there may be unknown correlations between individuals values for 
privacy and their private data, then the typical strategy of "buying from the cheapest sellers" 
is doomed to fail in this regard. How should an auction be structured by an analyst who 
wishes to calculate some value which is representative of an entire population? 

3. An individual's cost for privacy may itself be private information. Suppose that Alice visits 
an oncologist, and subsequently is observed to significantly increase her value for privacy: 
this is of course disclosive! Is it possible to run an auction for private data that compensates 
individuals for the privacy loss they incur, simply due to the effect that their bids have on 
the behavior of the mechanism? 

1.1 Differential Privacy as a Commodity 

Differential privacy, formally defined in Section [21 was introduced by Dwork et al. [DMNS06] as 
a technical definition for database privacy. Informally, an algorithm is e-differentially private if 
changing the data of a single individual does not change the probability of any outcome of the 
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mechanism by more than an exp(e) ~ (1 + e) multiplicative factor. Differential privacy also has a 
natural utility-theoretic interpretation that makes it a compelling measure with which to quantify 
privacy when buying or selling it0. 

An important property of an e-differentially private algorithm A is that its composition with 
any other database-independent function / has the property that f{A) remains e-differentially 
private. This allows us to reason about events that might seem quite far removed from the actual 
output of the algorithm. Quite literally, a guarantee of e-differential privacy is a guarantee that 
the probability of receiving phone calls during dinner, or of being denied health insurance will not 
increase by more than an exp(e) factor. This allows us to interpret differential privacy as a strong 
utility theoretic guarantee that holds simultaneously for arbitrary, unknown utility functions: for 
any individual, with any utility function u over (arbitrary) future events, an e-differentially private 
computation will decrease his future expected utility by at most an exp(— e) ~ (1 — e) multiplicative 
factor, or equivalently, by an eE[ii(x)] additive factor, where the expectation is taken over all future 
events that the individual has preferences over. Therefore, there is a natural way for an individual 
to assign a cost to the use of his data in an e-differentially private manner: it should be worth to 
him an e-fraction of his expected future utility. We expand on this in section 12.31 

1.2 Results 

Our main contribution is to show that any differentially private mechanism that guarantees a certain 
accuracy must purchase a certain minimum amount of privacy from a certain minimum number 
of agents (both of which depend on the desired accuracy), which reduces the problem of privately 
providing an accurate answer to a relatively simple form of procurement problem. Specifically, we 
study the following stylized model. There are n individuals [n], each of whom possesses a private bit 
bi, which is already known by the administrator of the private database (for example, a hospital). 
Each individual also has a certain cost function q : — > R_|_, which determines what her cost Cj(e) 
is for her private bit bi to be used in an e-differentially private manner. Any feasible mechanism 
must pay each individual enough to compensate him for the use of his private data. Moreover, 
individuals may mis-report their cost functions in an attempt to maximize their payment, and so 
we are interested in mechanisms which properly incentivize individuals to report their true cost 
for privacy. On the other side of the market, the data analyst wishes to estimate the quantity 
s = Y17=i k*> an d must compensate each individual through the mechanism's payments for this 
estimate. The data analyst may either have a fixed accuracy objective and wish to minimize his 
payments subject to obtaining the desired accuracy, or alternately have a fixed budget and wish to 
maximize the accuracy of his estimate within this budget. 

We first consider the simpler model, in which individuals must be compensated for loss of 
privacy to their bits bi, but not for any privacy-leakage due to implicit correlations between bi and 
their cost function q (i.e., if the mechanism does not use an individual's bit bi at all in computing 
an estimate for the data analyst, the mechanism does not have to compensate individual i, even 
if changing her cost function would result in a different outcome for the mechanism). In trying to 
design an auction that guarantees the data analyst an accurate estimate of s, one might consider 
any number of complicated mechanisms that (for example) randomly sample individuals, and then 
attempt to buy from entire random samples - there are many variations therein, and indeed, this 
was the direction from which we first explored the problem. Our main result is that it is not 

1 This utility theoretic interpretation has been used in another context: the work of McSherry and Talwar, and 
Nissim, Smorodinsky and Tennenholtz MTuY) INSTlOj using differential privacy as a tool for traditional mechanism 
design. 
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necessary to consider such mechanisms. We show that we may abstract away the structure of 
the mechanism, and without loss of generality consider multi-unit procurement auctions. This has 
some immediate consequences: if we are interested in the setting for which the data analyst has a 
fixed accuracy goal, subject to which he wishes to minimize his payment, then we show that the 
standard VCG mechanism is optimal among the set of envy-free mechanisms. If we are instead 
interested in the setting for which the data analyst has a fixed budget subject to which he wishes 
to maximize his accuracy, then we are in a more unusual procurement-auction setting: the buyer 
wishes to maximize the number of sellers he can buy from, and the cost to the sellers is a function of 
who else sells their data! In this setting, we give a truthful mechanism that is instance-by-instance 
optimal among the set of all fixed-price (envy free) mechanisms. We remark that our choice of 
fixed-price mechanisms as a benchmark has become standard in prior-free mechanism design (see, 
e.g. [HK07, HR08]), but stands on firmer ground in auction settings for which Bayesian-optimal 
mechanisms are known also to charge fixed prices. We operate in a setting in which Bayesian- 
optimal mechanisms are not known, and so justifying (or improving) this choice of benchmark in 
our setting is an interesting open problem. (We note that [EG 11] derives the Bayesian optimal 
auction for a budget-constraint buyer who wants to purchase a set of items with maximum value 
subject to her budget constraint, but the model in [EG 11] does not capture our procurement auction 
problem with externalities which arise because the amount of privacy that needs to be bought from 
an individual (and therefore the cost to that seller) depends on the total number of individuals 
from whom privacy is being purchased.) 

We then show a generic impossibility result: it is not, in general, possible for any direct revelation 
mechanism to compensate individuals for their privacy loss due to unknown correlations between 
their private bits hi and their cost functions q . If their costs are known to lie in some fixed range 
initially, it is possible to offer them some non-trivial privacy guarantee, but finding the correct 
model in which to study the issue of unknown correlations between data and valuation for privacy 
is another important direction in which to take this research agenda. 

1.3 Related Work 

1.3.1 Differential Privacy and Mechanism Design 

McSherry and Talwar proposed that differential privacy could itself be used as a solution concept in 
mechanism design [MT07] . They observed that a differentially private mechanism is approximately 
truthful, while simultaneously having some resilience to collusion. Using differential privacy as a 
solution concept as opposed to dominant strategy truthfulness, they gave some improved results in 
a variety of auction settings. Gupta et al. also used differential privacy as a solution concept in 
auction design [GLM+10 . 

In a beautiful follow-up paper, Nissim, Smorodinsky, and Tennenholtz [NSTlOj made the point 
that differential privacy may not be a compelling solution concept when beneficial deviations are 
easy to find (as indeed they are in the mechanism of |MT07j ). Nevertheless, they demonstrated 
a generic methodology for using differentially private mechanisms as tools for designing exactly 
truthful mechanisms that do not require payments, and demonstrate the utility of this framework 
by designing new mechanisms for several problems. 

In this paper, we consider an orthogonal problem: we do not try to use differential privacy as 
a tool in traditional mechanism design, but instead try to use the tools of traditional mechanism 
design to sell differential privacy as a commodity. Nevertheless, we also use the utility theoretic 
properties of differential privacy that allow McSherry and Talwar to prove that it implies approx- 
imate truthfulness to motivate why it is natural for individuals to have linear cost functions for 
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differential privacy. 

In very recent work, Xiao [XI 1] addresses another question at the intersection of differential 
privacy and mechanism design: suppose the output of the database sanitization mechanism can be 
interpreted both as a sensitive quantity that must satisfy a differential privacy requirement, as well 
as the outcome of a game, the utility from which motivates agents to participate in the database in 
the first place. With this interpretation, it is reasonable to imagine that participants may lie about 
the bit stored in the database itself, in order to improve their utility from this game. Xiao shows 
how to construct mechanisms that are simultaneously exactly truthful and differentially private, 
but also shows that this conjunction of truthfulness and differential privacy may not be sufficient 
to elicit truthful behavior when agents value privacy, i.e., have a cost to the information leaked by 
the mechanism about their private bit. Chen et al. [CCK + lT] propose a new, more general way of 
measuring privacy in agents' utility functions than that in [XI lj . and construct mechanisms that 
are truthful when including this privacy measure in the agents' utilities for settings that include 
2-candidate voting, discrete facility location, and the Groves mechanisms for public projects. The 
key differences between our work and this line of investigation arises from what is treated as private 
information, i.e., what agents can lie about — the agents in our model cannot lie about their private 
bit, which is already known to the database, but can strategically report their costs for privacy to 
increase their payment from the analyst, whereas the agents in [Xllj can lie about their private 
data to improve their utility from a game whose outcome depends on this input. 

1.3.2 Auctions Which Preserve Privacy 

Recently, Feigenbaum, Jaggard, and Schapira considered (using a different notion of privacy) how 
the implementation of an auction can affect how many bits of information are leaked about indi- 
viduals bids [FJS10] . Specifically, they study to what extent information must be leaked in second 
price auctions and in the millionaires problem. Protecting the privacy of bids is an important prob- 
lem, and although it is not the main focus of this paper, we consider it in the context of differential 
privacy in Section [5l We consider somewhat orthogonal notions of privacy and implementation 
that make our results incomparable to those of [FJS10] . 

1.3.3 Privacy and Economics 

Privacy and its relation to mechanism design has also been studied from a broader economic 
perspective, although primarily in the context of how preferences for privacy by agents may affect 
mechanisms, rather than in the context of markets for privacy. For example, Calzolari and Pavan 
study the optimal disclosure policy when designing contracts for buyers who are in the position of 
repeatedly choosing between multiple sellers [CP06j , and the recent work of Taylor, Conitzer, and 
Wagman [TCW10] studies the relationship between the ability of consumers to keep their identity 
private, and the ability of a monopolist to engage in price discrimination. 

An exception is the essay of Laudon |Lau96j . which proposes the idea of a market for personal 
information — a 'National Information Market' — where individuals can choose to sell or lease their 
information (possibly to be used in aggregation with other individuals' information) in exchange 
for a share of the revenue generated from its use; he argues that only individuals whose cost 
from the 'annoyance' caused by releasing their information is lower than the payment they receive 
will participate in this market. In the same spirit, the work of Kleinberg, Papadimitrou and 
Raghavan [KPR01] quantifies the value of private information in some specific settings, and proposes 
that individuals should be compensated for the use of their information to the extent of this value. 
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Our individually rational auctions for privacy are conceptually similar to this, but are investigated 
within the formal framework of differential privacy, and from the perspective of auction design. 

1.3.4 Relationship to the Differential Privacy Literature 

The now large literature on differential privacy (see [Dwo08j for an excellent overview) has almost 
exclusively focused on techniques for guaranteeing e-differential privacy for various tasks, where e 
has been taken as a given parameter. What has been almost entirely missing is any normative 
guidance for how to pick e. There is a natural tradeoff between the privacy parameter e and the 
accuracy of privacy-preserving estimates (which is well-understood in the case of single statistics, 
sec [GRS09, BN10]). Therefore, this paper proposes to answer the question of how e should be 
chosen: it should be the smallest value that the data analyst is able to afford, given the individuals' 
valuations for privacy (or equivalently, the smallest value that the owners of the data are willing 
to accept in exchange for their payment). 

We also highlight in this work the explicit tradeoff between compensating individuals for the use 
of their private information, and the accuracy of our resulting estimates. Implicit in previous works 
on privacy has been the idea that for fixed values of e, individuals should be willing to participate 
in private databases given only some small positive incentive. However, this incentive may be 
different for different individuals, and without running an auction, a data collector is engaging in 
selection bias: he is only collecting data from those individuals who value their privacy at a low 
enough level to make participation in a given database worth while. Such individuals might not 
be representative of the general population, and resulting estimates may therefore be inaccurate. 
This source of inaccuracy is hidden in previous works, but we point out that it should be a real 
concern, and we explicitly address it in this paper. 

2 Preliminaries 

We consider a database consisting of the data of n individuals {1, . . . ,n} whom we denote by [n]. 
Each individual i is associated with a private bit 6, E {0, 1}, as well as a value V{ parameterizing 
a cost function which quantifies their cost for loss of privacy. (We may think of the private bit 
as representing the answer to some arbitrary yes or no question. For the sake of discussion, let 
us assume that the private bit represents whether the individual has some embarrassing medical 
condition.) The private bit 6j is verifiable, and the individual is not endowed with the ability 
to lie about their private bit. For example, the bit may already be known to a trusted database 
administrator (for example a hospital), or may be directly verifiable by the auctioneer (e.g. through 
a blood or saliva sample). On the other hand, the individual may lie about their value for privacy 
Vi, and must be incentivized to report this parameter truthfully. We formalize this model in the 
following section. 

2.1 Differential Privacy 

Formally, a data set or database D of size n is a collection of n elements from some abstract range 
X: D G X n . We think of each element in the database as corresponding to the data of a single 
individual. Two databases D,D^ 6 X n are neighbors if they differ only in the data of a single 

(i) 

individual, i.e., if Dj = D- for all j ^ i. The quantification of privacy we employ is that of 
differential privacy, due to Dwork et al. [DMNS06J: 
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Definition 2.1. An algorithm A : X n — > R (for an abstract range R) satisfies ej- differential privacy 
with respect to individual i if for any pair of neighboring databases D,D^ G X n differing only in 
their i 'th element, and for any event S C R: 

Pr[A{D)eS\ 



Pr[A(D(0) G S] 

An algorithm A is ej -minimally private with respect to individual i if 6j = inf e such that A is 
e- differentially private with respect to individual i. Throughout this paper, whenever we say that an 
algorithm is Cj- differentially private, we mean that it is e,i-minimally differentially private. 

Remark 2.2. A couple of remarks are in order. First note that (unless A computes a constant 
function) for A to be differentially private it must be a randomized algorithm. Second, note that 
differential privacy states intuitively that no single individual can have a large effect on the output 
distribution of an algorithm A, and hence the output of A contains little "information" about any 
individual. Indeed, if B is a random variable taking values in X n , stating that A is e- differentially 
private with respect to each individual i is a stronger guarantee (and in particular implies) that the 
mutual information between B and A(B) is at most e: I(B; A(B)) < e. In particular, note that 
as a privacy guarantee, e- differential privacy becomes less meaningful for large values of e. In this 
paper, we will restrict our attention to values of e < 1. Note that in this case, exp(e) ~ 1 + e. 

The following easy fact follows immediately [DMNS06 : 

Fact 1. Consider an algorithm A : X n —> R that satisfies e^- differential privacy with respect to 
each individual i, and let T C [n] denote a set of indices. Consider two databases D,D T G X n at 
Ramming distance \T\ that differ exactly on the indices in T. Then for any event S C R: 

Fr[A(D)eS] T _ ti 
Pr[A(D T ) G 5] " 

Proof. Consider the sequence of databases D°, . . . , Z)' r ' such that D° = D, I)' T ' = D T and for each 
< i < \T\, databases D l and D l+l are neighbors, differing in exactly the i'th index of T. Then 
for any event S: 

Vt[A{D) g S\ Pr[A(fl')SSl ^ n „ 

i si = H Pr^ +1)eS] sn-pfe)=exp(g £i) 

□ 

A useful primitive for differential privacy is the Laplacian distribution, adding random noise 
from which produces differentially private output [DMNS06 : 

Definition 2.3. Denote by Lap(o~) the symmetric Laplacian distribution with mean and scaling 
a. This distribution has probability density function: 

fix) = ^-exp (-— 

We will sometimes abuse notation and write Lap (a) to denote the realization of a random variable 
drawn from the Laplacian distribution with parameter a. 
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2.2 Mechanism Design 

In this section, we specify the utility function of the participants in the mechanism, and in particular, 
how it relates to the privacy guarantees of the mechanism. 

Every individual i has some (unknown to the mechanism) single-parameter cost function with 
parameter Vi, written c(wj, ■) : R+ — > R + , where c(«j,e) represents player i's cost for having his 
data used in an e-differentially private manner. Cost functions are normalized so that c(wj,0) = 
for all Vi, and are assumed to be continuous. We will study two models, informally, one of which 
will treat an individuals data only as his private bit bi, and one of which will treat his data as the 
tuple (vi,bi). Each individuals cost function belongs to the same publicly known family, but the 
parameter Vi is known only to the individual, and must be reported to the mechanism. We will 
require that the family of cost functions admit a total ordering independently of e. That is, the 
property that our results will require is that for any i ^ j, and for any e G R+, it should hold that 
c(vi,e) < c(vj,e) if and only if v; L < Vj. Natural choices of cost functions which obey this property 
are linear cost functions, which take the form c(wj,e) = i^e, exponential cost functions which take 
the form c(vi,e) = exp(ei>j), quadratic cost functions of the form c(vi,e) = v^e 2 , as well as many 
other natural choices. 

A mechanism M : R™ x {0, l} n — > R x R™ takes as input a vector of cost parameters v = 
(vi,..., v n ) G R™ and a collection of private bit values b G {0, l} n , and outputs a real number (an 
estimate of some statistic s of b of interest to the "data analyst"), as well as a payment that will 
be collected from the data analyst to be distributed to the participants in the mechanism. 

We consider two models of privacy: 

1. In the insensitive value model, the mechanism M first inspects the reported cost parameters 
v and then selects (as an arbitrary deterministic function of v) a randomized algorithm A : 
{0, 1}" — > R together with a set of payments pi,... ,p n . The mechanism then computes A(b), 
which is ej-differentially private with respect to each individual i, for some M outputs a 
statistic s = A(b), and each individual i experiences cost c(vj,ej). Note that in this model, 
individuals incur privacy cost only as a function of the use of their private bit bi , and not as 
a function of the use of their value for privacy vf. the algorithm is free to use Vi in any way. 
The algorithm pays each individual pi, and collects P > Y%=iPi fr° m the data analyst. Note 
that the output of the mechanism from the data analyst's perspective is the pair (I, P). 

2. In the sensitive value model, M is some randomized algorithm M : X n — > R, for X = 
R+ x {0, 1} and R = R+ x R + : i.e. its input is a set of n tuples (vi, bi) one for each individual, 
and its output is a pair of reals: a statistic s and a payment collected from the data analyst 
P. M itself is e^-differentially private with respect to each individual / for some e*, and 
each individual experiences cost c(vj,ej). The mechanism compensates each individual an 
(unobserved) amount Pi, with the restriction that Y17=iPi — Note that in this model, 
individuals experience cost as a function of the use of both their private bit bi, as well as their 
reported value for privacy Vi. 

Note that in both cases, the data analyst only learns the total payment P that he must make, 
not necessarily the distributions pi which are made to each individual. 

For any v[ G R+ we let (v-i,v'A denote the vector that results from changing entry Vi in v to v[. 

A player i who recieves payment pi, and whose data is used in an ej-differentially private way 
derives utility Ui = pi — c(vi,ci). Here, e« is the privacy parameter of the selected algorithm A if we 
are in the insensitive value model, and is the privacy parameter of the mechanism M if we are in 
the sensitive value model. 
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Since any individual may opt against participating in our mechanism, we require first that our 
mechanisms be individually rational: 

Definition 2.4. A mechanism M : R™ x {0, l} n -^lx R" is individually rational if for all v G R+ : 

Pi(v) > c(Vi,€i(v)) 

where here the payment vectors and privacy parameters are viewed as functions of the vector of 
reported types v. If pi{v) and €i(v) are random variables, we require that our mechanisms are ex- 
post individually rational: that is, the above inequality must hold for all realizations of Pi(v) and 
€i(v). In words, each player must be guaranteed non-negative utility by participating and truthfully 
reporting his value to the mechanism. 

Since individuals may misreport their costs so as to maximize their gain, we also require our 
mechanisms to be truthful: 

Definition 2.5. A mechanism M : R" x {0, l} n — > R x R™ is dominant-strategy truthful if for 

all v G R" , for all i G [n], and for all v\ G R + : 

Pi(v) - c(v i} €i(v)) > Pi(V-i,v'i) - C^Vi, €i(V-i, V'j)) 

that is, no player can ever increase his utility by misreporting his value for privacy. Ifpi(v) and €i(v) 
are random variables, the above inequality should hold in expectation over the internal randomness 
of the mechanisn^. 

The mechanism is run on behalf of some data analyst, who wishes to know an estimate of the 
statistic s = YH=i The mechanism outputs some randomized estimate of this quantity s, where 
the randomization is to ensure differential privacy, and the analyst prefers more accurate answers. 
We choose to focus on statistics which can be represented as sums of boolean variables because 
of the central role that they play in the privacy literature (in which they are known as counting 
queries or predicate queries). In particular, the ability to accurately answer queries of this sort is 
sufficient to be able to implement a wide range of machine learning algorithms over the data (see 
[BDMN05p . 

Definition 2.6. A mechanism M satisfies k-accuracy if for any D G {0, l} n , it outputs an estimate 
s such that: 

Prfls - s| > k] < - 
3 

where the probability is taken over the internal coins of the mechanism. 

The constant 1/3 is of course inconsequential: it can be changed to any desired constant without 
qualitatively affecting the results. 

We may consider two dual objectives for our mechanism. Our data analyst may have a fixed 
goal of A;-accuracy for some k in which case we want to design mechanisms which deliver A;-accurate 
estimates of s so as to minimize the sum of the payments. Alternately, our data analyst may have 
a fixed budget B £ R + (say an NSF grant that can be used for data procurement). In this case, 
our goal is to design a mechanism which is ^-accurate for the smallest possible value of k, while 
under the constraint that the sum of the payments never exceeds B. 

2 That is, we require only truthfulness in expectation. However, all of our mechanisms will in fact be ex-post 
truthful, and in fact the payment schemes will be deterministic. Our lower bounds will hold even for mechanisms 
which are merely truthful in expectation, which only strengthens our results. 
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2.3 Valuing Differential Privacy 

In this section, we provide a brief justification for why individuals should be able to quantify their 
cost for experiencing an e-differentially private use of their private data. Say that A denotes the 
set of all future events for which an individual i has preferences over outcomes, and U{ : A — > M. is a 
function mapping events to i's utility for that event. Suppose that D £ X n is a data-set containing 
individual i's private data, and that M : X n — > R is a mechanism operating on D promising 
ej-differential privacy to individual i. Let D 1 be a data-set that is identical to D except that it 
does not include the data of individual i (equivalently, it includes the data of individual i, but it 
is used in a O-differentially private manner), and let / : R — > AA be the (arbitrary) function that 
determines the distribution over all future events, conditioned on the output of mechanism M. 
A basic consequence of differential privacy is the following: 

Fact 2. If M : X n — )• R is ej- differentially private with respect to individual i, and f : R —> R' is 
any arbitrary (randomized) function, then the composition foM: X n — > R' is also 6j- differentially 
private with respect to individual i. 

Proof. First, assume that / is a deterministic function f : R —> R'. Fix any event S C R' and let 
T C R he T = {r £ R : f(r) £ S}. Now for any pair of neighboring databases D, D' £ X n differing 
in their i'th coordinate, we have: 

Pr[/(M(£>)) £ S] = Pi[M(D) £ T] 

< e £l Pr[M(-D') £ T] 
= e e ' Pr[/(M( J D')) 6 S] 

which is what we wanted. To see that the same result holds for randomized mappings /, it suffices to 
observe that any randomized mapping / : R — > R' is simply a convex combination of deterministic 
functions / : R — ^ it". □ 

By the guarantee of differential privacy together with Fact El we have: 

^x~f(M(D))[Ui(x)} = 
< 



Similarly, 

Ex~f(M(D))[n(x)] > exp(-ej)E x ^ /(M(D , )) [ui(a;)] 

Therefore, when individual i is deciding whether or not to allow his data to be used in an 
ej-differentially private way, he is facing the decision about whether he would like his data to be 
used in such a way that could change his future utility by at most an additive factor of 

Am = (exp(ei) - l)E w(M(D , )) [u i (x)] 

and so this is a natural quantity for i to value his privacy at. This naturally motivates a cost 
function of the form c(fj,ej) = (exp(ej) — l)fj, setting Vi = ~& x ~f(M(D'))[ u i{ x )\)- Note that for 
small values of e$, (exp(ej) — 1) « ej, which also motivates linear utility functions of the form: 
c(vi,€i) = €iVi. Both of these types of cost functions are accommodated by our model, as well as 
many other reasonable choices. 



> uAx) ■ Pr \x] 

E^(-)-exp(^ /(j Pr D;)) 
exp(e i )E :r ^ /(M(D , )) [ui(x)} 
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3 Characterizing Accurate Mechanisms 



In this section, we show necessary and sufficient conditions on the amount of privacy that a mecha- 
nism must purchase from each individual in order to guarantee a fixed level of accuracy. To obtain a 
given level of accuracy, we show that a mechanism must purchase at least e units of privacy, from at 
least \H\ individuals, where the values of e and \H\ depend on the desired accuracy. We emphasize 
that these necessary conditions are independent of any truthfulness requirements on the mecha- 
nism, and arise purely because of the need to achieve accuracy. These conditions apply to both the 
sensitive value model and the insensitive value model. This greatly simplifies the mechanism-design 
process for auctions for private data, because it allows us to restrict our attention to multi-unit 
procurement auctions without loss of generality. 

Theorem 3.1. Let < a < 1. Any differentially private mechanism that is a ■ n/4-accurate must 
select a set of users H C [n] such that: 

1- Ci > ^ for all i G H. 

2. \H\ > (1 - a)n. 

Proof. Let M be a mechanism that is a ■ n/4-accurate, and let H C [n] be the set of individuals i 
such that ei > l/an. For point of contradiction, suppose that \H\ < (1 — a)n. Let H = [n] \ H. 
We have that \H\ > an. Let S = {x G M. : \x — s\ < ^p}, where s = ^27=1 ^i- By the accuracy of 
the mechanism, we have that the estimate s output by the mechanism M(y, D) satisfies: 

Pr[s G S] > | 

Let H 1 = {i <E H : bi = 1} and let H° = {i G H : b { = 0}. Since H° and H 1 form a partition of H, 
it must be that 

maxd^ !,!^ 1 !) > an/2. 

Without loss of generality, assume that \H °| > an/ 2 (the other case is identical). Let T C H° 
such that \T\ = an/2. Let D' be the database that results in setting each bit H = b{ if % ^ T, and 
b\ = 1 otherwise. Note that D' and D have hamming distance \T\ = an/2, and differ exactly on 
the indices of T. Let s' be the estimate generated by M(v,D'). By differential privacy of M, we 
have, using Fact HJ 

Pr[s' 65] > exp(- ^ e*) • Pr[s G S] 

an 1 2 

> exp — • - 

z an 6 

2 



> 



3\/i 
1 

3' 



Let s' = Ysi=i Note that s' = s + an/2. If s' G S, then by definition: \s' — s\ < an/4. By the 
triangle inequality, we must therefore have that \s' — s'\ > an /4 with probability strictly greater 
than 1/3, contradicting the assumption that M is a ■ n/4 accurate. □ 
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This theorem can be thought of as our main result, quantifying the necessary trade-off between 
accuracy and privacy: to guarantee cm/4-accuracy, at least (1 — a) fraction of the population must 
incur at least a privacy loss. The corollary below follows immediately, translating this into a 
lower bound on payment. 

Corollary 3.2. Any an-accurate individually rational mechanism must pay out a total payment of 
at least: 

n (1— 4a)n , 

i=l i=l 

where bidders are ordered such that v\ < Vi < • • • < v n . 

We remark that this corollary assumes only individual rationality, and is in general achievable 
only by an omniscient mechanism that knows all players' cost functions. No truthful an-accurate 
mechanism is able to pay as little as this benchmark in general. 

Theorem 13.11 gave necessary conditions on the privacy costs of an accurate mechanism. Next, 
we show that up to small constant factors, they are also sufficient conditions for an accurate 
mechanism: 

Theorem 3.3. Let < a < 1. There exists a differentially private mechanism that is (| +ln 3)a-n- 
accurate and selects a set of individuals H C [n] such that: 



1. ft 



— , for i G H; 

an > J ^ > 

0, for i H. 



2. \H\ = (1 - a)n. 

Proof. Let H C [n] be any collection of individuals of size \H\ = (1 — a)n, selected independently of 
their private bits bi, and let t = ^2 ie jj h + an/2. Observe that for any database D, \t — s\ < an/2. 
Consider the mechanism that outputs s = t + Lap(an). First, we claim that this mechanism 
is (1/2 + ln3)an-accurate. This follows by the triangle inequality conditioned on the event that 
Lap(ara) < (ln3)an. It remains to verify that this holds with probability at least 2/3. This is in 
fact the case: 



Pr[|Lap(an)| > (ln3)an] = — J ^ exp \-— j dx 

1 f°° ( \x\ 



2an ./(in3)an V an 



exp dx 



1 

3' 



We now verify the differential privacy guarantee, which follows from the analysis given in [DMNSC^ 
of the Laplace mechanism. Let s be the estimate calculated on database D (via sum t) and let s' 
be the estimate calculated on neighboring database (via sum t'). Clearly, for any % H and 
for any S C R, Pr[s G S] = Pr[s' G S] and so e,, = 0. Now consider some i G H and Scl. For 
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any Set and r S R, let S — r denote {x — r : x £ S}. 

Pr[s £ 5] = Pr[Lap(cm) e S - t] 

= [ exp ( — - — -] dx 

Jxes-t 2an V an J 

< exp (— V / — !— exp ( - — ) 

— ^| • Pr[s' G 5] 
an / 

where the inequality follows from the fact that \t — t'\ < 1. □ 

Theorems 13.31 and 13.11 taken together have the effect of greatly simplifying the space of possible 
mechanisms for private data that we need to consider. They imply that without loss of generality 
(up to small constant factors in their error term), when searching for an-accurate mechanisms, we 
may restrict our attention to a special class of multi-unit procurement auctions, where we seek to 
purchase exactly 1/an units of some good (in this case, differential privacy) from exactly (1 — a)n 
individuals. Once we do this, we have purchased a sufficient quantity of privacy to run the Laplace 
mechanism employed in Theorem 13. 3\ which guarantees the desired accuracy! In the next section, 
we consider such mechanisms. 

We note that at first blush, one might expect to be able to get an accurate estimate while setting 
€i = for most individuals, by taking a random and (with high probability) representative sample 
of the individuals, and operating only on their sampled bits. However, note that an algorithm 
A which takes a random sample S of the population, and then runs an e-differentially private 
algorithm A' on the sample S results in a privacy cost £j > to every individual who has a non- 
zero probability of having been selected for the sample S, so long as e > 0. That is, sampling 
(and other randomization procedures) can be a part of the algorithms that we consider, but do not 
escape our lower bounds. 




4 Deriving Truthful Mechanisms in the Insensitive Value Model 

We now give several positive results in the insensitive value model. 

4.1 Maximizing Accuracy Subject to a Budget Constraint 

In this section, following the characterization of accurate mechanisms in Section [3l we restrict our 
attention to algorithms that guarantee 0(an)-accuracy by purchasing 1/an units of privacy from 
exactly (1 — a)n individuals. We consider the problem of obtaining an estimate s of maximum 
accuracy, subject to a hard budget constraint!!: Y^H=\Pi — B. This is a natural objective, for 
example, in the case of a data analyst who has B dollars of grant money with which to buy data 
for a study, and wishes to buy the most accurate data that he can afford. We give a truthful and 
individually rational mechanism for this problem, and show that it is instance-by-instance optimal 
among the class of envy- free mechanisms. 

We first prove that FairQuery is truthful and individually rational. 

3 This question is related to the problem of designing budget feasible mechanisms in [SinlO, CGL11, EGllJ, but 
differs in that our privacy auction has externalities: a seller's cost for her good is a function of how many other sellers 
are chosen as winners by the mechanism. 
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FairQuery(u, D, B) : 

Sort v such that v i < V2 < . . . < v n . 

Let be the largest integer such that c(u&, ^r^) < -f • 

Output s = ^ fe =1 bi + Sf* + Lap(ra - fc) 

Pay each i > k Pi = and each i < k pi = min(|r, c(ufc + i, zrzx). 



Theorem 4.1. Fair Query is truthful and individually rational, and never exceeds the data analyst's 
budget B. 

Proof. First note that by the analysis from Theorem 13,31 f° r an Y i 5; k, ej = — ^t:, and for any 
i > k, a = 0. For i > k therefore, pi = c(vi,0) = 0. For i < k, pi = roin^, c(v&+i, — Lr)) > 
c^, / n _ fc \ ) because c(^, ^z^y ) < by construction and < by definition (recall that 
c(v, e) is increasing in u for every e). Hence, individual rationality is satisfied. Note also that 
YH=iPi = k ' m i n ("f > c ( v k+i: ;tzt)) — -S, and so the budget constraint is also satisfied. It remains 
to verify truthfulness: 

Fix any v, i, v[ and consider k = k(v), k! = k(v-i, v[), pi = Pi(v), p\ = p-(«-j, v • ), e« = €i(v), and 
e\ = e'^V-i^v'j). There are four cases: 

1. Case 1: v[ < Vi and pi > 0. In this case, v[ moves earlier in the ordering and e, = e[, and 
Pi =Pi- 

2. Case 2: v[ > Vi and p. L = 0. In this case, v[ moves later in the ordering and ej = e£ = pi = 
Pi = 0- 

3. Case 3: v[ < V( and pi = 0. In this case, v[ moves earlier in the ordering, but if p\ > then by 
construction p\ = min(p, c(vk>+i, ^rp)) — c i v i, ( n -k>) )- This follows because k' is such that 
Vk'+i < Vi for alH > k such that p\ > 0. 

4. Case 4: t> 4 ' > and pi > 0. In this case, v[ moves later in the ordering, and either p\ = pi 
and e- = ej, or = and ej = 0. In the second case, by individual rationality, pi — c(wj, £j) > 
0=^- C (^)- 

Thus in all four cases, deviations are not beneficial, and the mechanism is truthful. □ 

The next natural question to ask is: does FairQuery guarantee the data analyst a good level of 
accuracy, given his budget? As is always the case in prior-free mechanism design, it is important 
to specify what our benchmark is - good compared to what? Because mechanisms of the kind that 
we are considering always buy the same amount of privacy from an individual from whom they buy 
any privacy at all, a natural benchmark to consider is the set of all "envy-free" mechanisms which 
guarantee that no individual would prefer the outcome granted to any other. 

Definition 4.2. A mechanism for private data is envy-free if for all possible valuation vectors v, 
and for all individuals i,j, pi — c(vi,ei) > pj — c(vi,€j). That is, after the mechanism has determined 
the privacy costs and payments to each individual, there are no individuals who would prefer to have 
the payment and privacy cost granted to any other individual. 

Observation 4.3. Any truthful envy-free mechanism which buys either no privacy or e-privacy 
from each individual (i.e., if €j > 0,ej > then ej = ej) must have the property that for all i,j 
with €i > ej > 0, pi = pj. Call such mechanisms fixed purchase mechanisms. That is, envy free 
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fixed purchase mechanisms must pay each individual from whom privacy is purchased the same fixed 
price. 

Note that by the characterization in Section [3l we may restrict ourselves to considering fixed 
purchase mechanisms essentially without loss of generality (we may lose only a small constant 
factor in the approximation factor). Therefore we can compare our mechanism to the envy free 
benchmark: 

Proposition 4.4. For any set of valuations v £ R™ (i.e., on an instance-by-instance basis) Fair- 
Query achieves the optimal accuracy given budget B, among the set of all truthful, individually 
rational envy-free fixed purchase mechanisms. 

Proof. First, observe the easy fact that FairQuery is indeed an envy free fixed purchase mechanism. 
We then merely observe that for any vector of valuations v, if FairQuery sets > for k individuals, 
then by the definition of k, it must be that c(vk+i, / n _fc_ 1 s ) > j^j, and so any mechanism that 
set ti > for k' individuals for k' > k must have Pk+i > r^+l) ^ individual rationality. But by 
envy-freeness, it must have pi = Pk+i > (k+i) f° r a H * — ^- But i n ^is case, we would have 

n ^ 

J2P^ k '- Pk+l >(k + l)- = B 

1=1 

which would violate the budget constraint. □ 



4.2 Minimizing Payment Subject to an Accuracy Constraint 

In this section, we consider mechanisms for the dual goal of truthfully obtaining a fc-accurate 
estimate for some fixed accuracy constraint k while minimizing the payment required. Again, we 
restrict ourselves to the model of multi-unit procurement auctions justified in Section [3) In this 
setting, we show that the VCG mechanism is in fact optimal. 

Recall that for a fixed accuracy goal an, by Theorem 13. 3^ it is sufficient to buy ( 1 / 2+ln3 ) 
units of privacy from (1 — ( 1/ / 2 ° ln3 ) )n people. We may therefore view our setting as a multi-unit 

procurement auction in which every individual is selling a single good {^-^— — units of privacy), 
for which they have valuation Ci(vi, ^ )■ The constraint on accuracy simply states that we 
must buy (1 — ^/ 2 +in3) ) n nn ^ s °f the good. In this case, we can analyze a simple application of 
the standard VCG mechanism: 

MinCostAuction(w, D, a): 

Let a' = j72+hi3 an d ^ = — «') n l • 

Let Wi = c(vi, ^). 

Sort Wi such that w\ < W2 < • • • < w n . 

Output s = J2i=i bi + ^ + Lap(a'n) 

Pay each i > k Pi = and each i < k pi = Wk+i- 



We first show that MinCostAuction does indeed satisfy the constraints of truthfulness and 
individual rationality, while obtaining sufficient accuracy. 

Proposition 4.5. MinCostAuction is truthful, individually rational and an-accurate. 
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Proof. That MinCost Auction is an-accurate follows immediately from Theorem 13.31 Moreover, by 
Theorem 13.31 f° r each i < k, ei = l/(a'n) and for i > k, £j = 0. Truthfulness and individual 
rationality then follow immediately from the fact that each Wi = q(uj, l/(o/n)), that Cj(-,e) is 
an increasing function of Vi, and that MinCost Auction is an instantiation of the classical VCG 
mechanism. □ 

MinCost Auction achieves its target utility at a cost of Y^i=xPi = & ' w k+i- We now show that 
no other envy-free multi-unit procurement auction with the same accuracy guarantees (i.e. one 
that guarantees buying k units) makes smaller payments than MinCostAuction. 

Theorem 4.6. No truthful, individually rational, envy-free fixed purchase auction that guarantees 
purchasing k units can have total payment less than k ■ Wk+i- 

Proof. For the sake of contradiction, suppose we have such a mechanism M. Fix some vector of 
valuations v that yields payments p(v) such that Pi( v ) < k-Wk+i (Recall that W{ = c(v{, zrrr)). 

First, if it is not already the case, we will construct a bid profile such that an item is purchased from 
some seller who is not among the k lowest bidders. It must be that there exists some i such that an 
item is purchased from i at a price of pi, such that Wi < pi < w^+i (otherwise Yli=iPi(. v ) > k-Wk+i)- 
Let v' = (v-ijv'i) where c{v[, ^r^) = {pi + Wj. + i)/2, be a bid profile in which bidder i raises his 
reported value to be above pt while remaining below w^+i- Note that such a v\ exists since c is 
assumed to be continuous. Let p' = p'(v) be the new payment vector. By individual rationality and 
truthfulness, it must be that in this new bid profile v' , player i is no longer allocated an item: by 
individual rationality, he would have to be paid p- > pi if he were allocated an item, but if his true 
valuation were Wi, then this would be a beneficial deviation, contradicting truthfulness. Because 
the mechanism is constrained to always buy at least k items, it must be that in v', an item is now 
purchased from some seller j such that j > k+1. By individual rationality, p'- > Wj > itffc+i- But by 
envy-freeness, it must be that for every seller i from whom an item was purchased, p\ = p'j > Wk+i- 
Because at least k items are purchased, we therefore have ^r=iPi — ^ ' w k+i> which contradicts 
the purported payment guarantee of mechanism M. □ 



5 Truthful Mechanisms in the Sensitive Value Model 

In Section HI we considered truthful, individually rational mechanisms that compensated users for 
the privacy loss due to the mechanisms' use of the individual's private bits 6j, but not due to the 
mechanisms' use of their valuations for privacy, Nevertheless, as we observed in the introduction, 
it is quite reasonable to assume that individual's valuations for privacy are correlated with their 
private bits. Can we design mechanisms that treat individuals' valuations for privacy as private 
data as well, and compensate individuals for the privacy loss due to the use of their valuations 
Vi? In this section, we show that the answer is generically 'no' if we allow individuals to have 
arbitrarily high valuations for privacy. Moreover, we note that if we try to impose an a-priori 
bound on individual's valuations for privacy, then we re-introduce the same source of sampling bias 
that we had hoped to solve by running an auction. 

Recall that a mechanism has two outputs: the estimate s, and the payment P that the data 
analyst must make. Note that if the bids are private data as well (i.e. if we are in the sensitive 
value model), then a mechanism which is e^-differentially private with respect to bidder i must 
satisfy, for every set of estimate/payment tuples S C and for each (v,D) € R" x {0, l} n , 
Pr[M(v, D) 6 5] < exp(ej) Pr[M(v^\ D^>) £ S], where and D^> are arbitrary vectors that are 
identical to v and D everywhere except possibly on their ith index. 
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Theorem 5.1. // bidder valuations for privacy may be arbitrarily large (i.e., v G W^_) then no 
individually rational direct revelation mechanism M can protect the privacy of the bidder valuations 
and promise k-accuracy for any k < n/2 (i.e., any nontrivial value). 

Proof. For simplicity, consider bidders with linear cost functions: Ci(vi,ei) = Vi ■ ej. Assume that 
M is fc-accurate for some k < n/2. Run the mechanism M{v,D) and obtain an estimate s and 
privacy costs ei for each i G [n]. Let P = Y27=iPi ^ e the payment that the data analyst makes. 
By individual rationality, P > Y^i=i v i e i — mm i ■ X^r=i e *- We trivially have that either Pr[s G 
[0,n/2)] > 1/2 or Pr[s G [n/2,n]] > 1/2. Without loss of generality, assume Pr[s G [0,n/2)] > 1/2. 
Let .D' = l n , and let s' be the estimate obtained by running M(v,D'). By accuracy, we have that: 
Pr[s' G (n/2, n]] > |. However, by differential privacy, together with Fact [T] we have: 

2 

- < Pr[s' G (n/2, n]] < exp(^] e*) Pr[s G (n/2, n]] 
d j=i 

2 

Solving, we find that Y17=i 6i — m (^/3)) independent of u. We therefore have by individual ratio- 
nality that Pr[P G [0, ln(4/3) minj v j)] = 0. By differential privacy, this must hold simultaneously 
for all inputs to the mechanism (v,D): that is, such a mechanism can not charge a finite price P 
for any input, which completes the proof. □ 

Remark 5.2. A natural (partial) way around the impossibility result of Theorem \5.1\ is to restrict 
bidder valuations to lie in a bounded range (e.g. [0,1]). This is unsatisfying, however, because it 
re-introduces the very source of sampling bias that we wanted to solve by running an auction. That 
is, bidders who happen to value their privacy at a higher rate than allowed by the mechanism will 
simply not participate in the auction, which might systematically skew the resulting estimate in a 
way that we cannot measure. 

6 Conclusion and Future Directions 

The main contribution of this paper is to formalize the notion of auctions for private data, and 
to show that the design space of such auctions can without loss of generality be taken to be the 
simple setting of multi-unit procurement auctions. This initiates an intriguing new area of study 
that raises many questions. Among these are: 

1. What is the proper benchmark for auctions in our setting? In this paper, we used the class 
of fixed-price (or envy free) mechanisms, which has become standard in the field of prior-free 
mechanism design HROS, HK07] . Is there a more natural benchmark? 

2. We have shown that generically, no direct revelation mechanism can compensate individuals 
for the loss of privacy which results from correlations between their private data and their 
reported costs for privacy. Nevertheless, such correlations exist! It is unsatisfying to restrict 
individual valuations for privacy to lie in a bounded range, because this reintroduces the 
very source of bias that we hoped to overcome by designing auctions. However, is there 
some restricted sense in which we can protect (and compensate users for) the privacy of their 
valuations for privacy? This requires the development of new models. 

3. We have assumed throughout this paper that the private bits of the users, 6j are already known 
to some database administrator such as a hospital, or are otherwise verifiable. Although this 
is a natural assumption in some settings, what if it does not hold? Is there any way to mediate 
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the purchase of private data directly from individuals who have the power to lie about their 
private data? 

4. In this paper we considered an extremely simple market, in which there was a single data 
analyst wanting to buy data from a population. How about a two sided market, in which 
there are multiple data analysts, competing for access to the private data from multiple 
populations? Can we privately compute the market clearing prices for access to data in this 
way? 

5. In this paper we considered a one-shot mechanism. In reality, the administrator of a private 
database will face multiple requests for access to his data as time goes on. How should the 
data analyst reason about these online requests and his value for the marginal privacy loss 
that he will incur after answering each request? 
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